Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?
Hi Lukas, sorry to say, but nothing helps. I have just updated IPA server, so that now it is: [root@svlxxipap ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) with: [root@svlxxipap ~]# rpm -qa|grep ipa ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.17.x86_64 libipa_hbac-1.13.0-40.el7_2.9.x86_64 ipa-python-4.2.0-15.0.1.el7.centos.17.x86_64 ipa-server-dns-4.2.0-15.0.1.el7.centos.17.x86_64 python-iniparse-0.4-9.el7.noarch ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64 sssd-ipa-1.13.0-40.el7_2.9.x86_64 ipa-admintools-4.2.0-15.0.1.el7.centos.17.x86_64 python-libipa_hbac-1.13.0-40.el7_2.9.x86_64 ipa-client-4.2.0-15.0.1.el7.centos.17.x86_64 I have also changed sudoers to sudo in sssd.conf as you suggested and restarted sssd. No difference, still: [simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo service sshd restart [sudo] password for simecek.to...@sd-stc.cz: simecek.to...@sd-stc.cz is not in the sudoers file. This incident will be reported. I guess I will pilot some more IPA clients to make sure it works reliably and if yes, I guess we will be able to live with the fact that older Linuxes doe not offer sudo to AD clients. Or do you think there is something more to try? Thanks T. 2016-07-14 13:32 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>: > On (14/07/16 13:06), Tomas Simecek wrote: > >Hi Lukas, > >I did as you said. > >Logs are attached to this mail. > > > Thank you very much for provided data. > > The main problem is that full refresh of sudo rules did not store any > rules. > > It might be caused by following errors which might be caused by issues > with old buggy IPA server on CentOS 7.0 > > [ipa_s2n_save_objects] (0x2000): Updating memberships for > borek.pa...@sd-stc.cz > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > [sysdb_update_members_ex] (0x0020): Could not add member [ > borek.pa...@sd-stc.cz] to group [name=acco...@sd-stc.cz,cn=groups,cn= > sd-stc.cz,cn=sysdb]. Skipping. > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > [sysdb_update_members_ex] (0x0020): Could not add member [ > borek.pa...@sd-stc.cz] to group [name=borek.pa...@sd-stc.cz,cn=groups,cn= > sd-stc.cz,cn=sysdb]. Skipping. > > Attached is a reduced log. > > You might try new feature in sssd-1.13 on el6 which will > avoid using compat tree for sudo. > > Try to change ldap_sudo_search_base from > ou=sudoers,dc=linuxdomain,dc=cz -> cn=sudo,dc=linuxdomain,dc=cz > > It does not mean that it will solve issue with extop plugin > on IPA server (ipa_s2n_save_objects) > > If it does not help then please provide the same data as in previous mail. > BTW I strogly suspect issues on IPA server on CentOS 7.0. > It might work on CentOS 7.0 client only by chance. > > LS > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?
Thanks Lukas, to be honest I am not sure what do you mean by "Please test with id simecek.to...@sd-stc.cz." It is the user I am testing with all the time. Here is what I see on client where sudo does not work: [simecek.to...@sd-stc.cz@zp-cml-test ~]$ id uid=988604700(simecek.to...@sd-stc.cz) gid=988604700(simecek.to...@sd-stc.cz) groups=988604700(simecek.to...@sd-stc.cz),43124(grpunixadmins),988600513(domain us...@sd-stc.cz),988604182(acco...@sd-stc.cz),988604754(mfcr_...@sd-stc.cz ),988604825(unixadm...@sd-stc.cz),988604833(wifiadm...@sd-stc.cz) You can see Centos 6.6 client knows about all the groups assigned to the users, incl. AD groups (unixadmins), which seems funny to me. You are right, IPA server is Centos 7.0 and functional client is Centos 7.0 as well. Both login and sudo work on client with Centos 7.0. Rules on IPA server are set to work on both clients, but work only on 7.0. If I run update on server, it would update ipa-server from v. 4.2.0-15.0.1.el7.centos.6.1 to v. 4.2.0-15.0.1.el7.centos.17. Does it make sense now? Thanks T. 2016-07-14 12:21 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>: > On (14/07/16 11:26), Tomas Simecek wrote: > >Hi Lukas, > >we have Active Directory group "UnixAdmins" > >. > >We have IPA external group ad_admins_external > ><https://svlxxipap.linuxdomain.cz/ipa/ui/#ad_admins_external>, which has > >Windows "UnixAdmins" group as a member. > >We have local IPA group grpunixadmins > ><https://svlxxipap.linuxdomain.cz/ipa/ui/#grpunixadmins>, which has > >ad_admins_external group as a member. > >So from that perspective user simecek.to...@sd-stc.cz is a member of > >grpunixadmins <https://svlxxipap.linuxdomain.cz/ipa/ui/#grpunixadmins>. > >That setup works for ssh logins and for sudo on Centos 7.0. > > > If user is member of group in IPA it does not mean that > it's properly propagated to client :-) > > I can see few errors in log > >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] > >[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > >object](32)[ldb_wait: No such object (32)] > >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] > >[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] > >[sysdb_update_members_ex] (0x0020): Could not add member [ > >simecek.to...@sd-stc.cz] to group [name=simecek.to...@sd-stc.cz > >,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. > >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] > >[ipa_s2n_save_objects] (0x2000): Updating memberships for > >simecek.to...@sd-stc.cz > >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] > >[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > >object](32)[ldb_wait: No such object (32)] > >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] > >[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] > >[sysdb_update_members_ex] (0x0020): Could not add member [ > >simecek.to...@sd-stc.cz] to group [name=simecek.to...@sd-stc.cz > >,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. > > Please test with id simecek.to...@sd-stc.cz. > I'm preatty sure that you will not see a group grpunixadmins. > > BTW according to domain logs it looks like a bug with extop plugin > on freeipa server. I assume that ipa server is on CentOS 7.0 > because you mention it works on Centos 7.0. > > I would strongly recommend to upgrade server to 7.2 > > LS > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?
Hi Rob, thanks, but this is not the case. Firstly, for initial test purposes I am not limiting sudo to specific commands, in the rule it is set to "any". Secondly, it fails even in non-symlink cases: [root@zp-cml-test ~]# which service /sbin/service [root@zp-cml-test ~]# ll /sbin/service -rwxr-xr-x. 1 root root 1694 Oct 16 2014 /sbin/service [root@zp-cml-test ~]# logout [simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo service sshd restart [sudo] password for simecek.to...@sd-stc.cz: simecek.to...@sd-stc.cz is not in the sudoers file. This incident will be reported. Thanks anyway, let me know if something else comes to your mind. Tomas 2016-07-14 11:51 GMT+02:00 Rob Verduijn <rob.verdu...@gmail.com>: > hi, > > just a long shot here.. > > I've been battling sudo for a couple days now and found that my issue was > one related to symlinks > on centos7 'which cat' says /bin/cat > but on centos /bin is a symlink to /usr/bin and sudo knows a symlink when > it sees one and to prevent abuse it requires the 'real' path for the sudo > rule : ALL=(ALL) /usr/bin/cat > on centos6 which cat also says /bin/cat but since /bin is not a symlink it > requires the sudo rule to be ALL=(ALL) /bin/cat > so for the sudo to work on both centos6 and centos7 you would require 2 > sudo rules. > > Ignore me if this is irrelevant. > > Just my 2 cents > Rob > > 2016-07-14 10:38 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>: > >> On (14/07/16 10:09), Tomas Simecek wrote: >> >Thanks all of you guys, >> >I have updated to: >> >sssd-krb5-common-1.13.3-22.el6_8.4.x86_64 >> >sssd-1.13.3-22.el6_8.4.x86_64 >> >sssd-ldap-1.13.3-22.el6_8.4.x86_64 >> >sssd-client-1.13.3-22.el6_8.4.x86_64 >> >sssd-ad-1.13.3-22.el6_8.4.x86_64 >> >sssd-proxy-1.13.3-22.el6_8.4.x86_64 >> >libsss_idmap-1.13.3-22.el6_8.4.x86_64 >> >sssd-common-1.13.3-22.el6_8.4.x86_64 >> >sssd-ipa-1.13.3-22.el6_8.4.x86_64 >> >python-sssdconfig-1.13.3-22.el6_8.4.noarch >> >sssd-krb5-1.13.3-22.el6_8.4.x86_64 >> >sssd-common-pac-1.13.3-22.el6_8.4.x86_64 >> >(there does not seem to be libsss_sudo in Centos as suggested by Danila). >> >and restarted sssd. >> > >> >There are two rules enabled. One HBAC as I presented earlier: >> > Rule name: Unixari na test servery >> > Enabled: TRUE >> > User Groups: grpunixadmins >> > Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz >> > Services: login, sshd, sudo, sudo-i, su, su-l >> > >> >and one sudo rule: >> >Rule name: Pokusne >> > Enabled: TRUE >> > Command category: all >> > User Groups: grpunixadmins >> > Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz >> > >> >Default "all-access" rules are disabled. >> > >> >When I try to sudo as AD user (member of grpunixadmins) on Centos 6.6, I >> >still get: >> > >> >[simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf >> >[sudo] password for simecek.to...@sd-stc.cz: >> >simecek.to...@sd-stc.cz is not in the sudoers file. This incident will >> be >> >reported. >> > >> >It works fine on Centos 7 (spcss-2t-www.linuxdomain.cz). >> > >> >sssd.conf: >> >[domain/linuxdomain.cz] >> >cache_credentials = True >> >krb5_store_password_if_offline = True >> >ipa_domain = linuxdomain.cz >> >id_provider = ipa >> >krb5_realm = LINUXDOMAIN.CZ >> >auth_provider = ipa >> >access_provider = ipa >> >ipa_hostname = zp-cml-test.linuxdomain.cz >> >chpass_provider = ipa >> >ipa_server = svlxxipap.linuxdomain.cz >> >ldap_tls_cacert = /etc/ipa/ca.crt >> >override_shell = /bin/bash >> >sudo_provider = ipa >> >ldap_uri = ldap://svlxxipap.linuxdomain.cz >> >ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz >> >ldap_sasl_mech = GSSAPI >> >#ldap_sasl_authid = host/zp-cml-test.linuxdomain...@linuxdomain.cz >> >ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz >> >ldap_sasl_realm = LINUXDOMAIN.CZ >> >krb5_server = svlxxipap.linuxdomain.cz >> >debug_level = 0x3ff0 >> >[sssd] >> >services = nss, sudo, pam, ssh >> >config_file_version = 2 >> >domains = linuxdomain.cz >> >[nss] >> >homedir_substring = /home >> >[pam] >> >[sudo] >> >debug_level = 0x3ff0 >> >[autofs] >> >[ssh] >> >[pac] >> >[ifp] >> > >> > >> >sssd_sudo.log from the moment I trie
Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?
Hi Lukas, we have Active Directory group "UnixAdmins" . We have IPA external group ad_admins_external <https://svlxxipap.linuxdomain.cz/ipa/ui/#ad_admins_external>, which has Windows "UnixAdmins" group as a member. We have local IPA group grpunixadmins <https://svlxxipap.linuxdomain.cz/ipa/ui/#grpunixadmins>, which has ad_admins_external group as a member. So from that perspective user simecek.to...@sd-stc.cz is a member of grpunixadmins <https://svlxxipap.linuxdomain.cz/ipa/ui/#grpunixadmins>. That setup works for ssh logins and for sudo on Centos 7.0. It is as per installation document https://www.freeipa.org/page/Active_Directory_trust_setup Correct me if I am wrong, but if it works on Client 1, it should also work on Client 2. <https://svlxxipap.linuxdomain.cz/ipa/ui/#ad_admins_external> T. 2016-07-14 10:38 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>: > On (14/07/16 10:09), Tomas Simecek wrote: > >Thanks all of you guys, > >I have updated to: > >sssd-krb5-common-1.13.3-22.el6_8.4.x86_64 > >sssd-1.13.3-22.el6_8.4.x86_64 > >sssd-ldap-1.13.3-22.el6_8.4.x86_64 > >sssd-client-1.13.3-22.el6_8.4.x86_64 > >sssd-ad-1.13.3-22.el6_8.4.x86_64 > >sssd-proxy-1.13.3-22.el6_8.4.x86_64 > >libsss_idmap-1.13.3-22.el6_8.4.x86_64 > >sssd-common-1.13.3-22.el6_8.4.x86_64 > >sssd-ipa-1.13.3-22.el6_8.4.x86_64 > >python-sssdconfig-1.13.3-22.el6_8.4.noarch > >sssd-krb5-1.13.3-22.el6_8.4.x86_64 > >sssd-common-pac-1.13.3-22.el6_8.4.x86_64 > >(there does not seem to be libsss_sudo in Centos as suggested by Danila). > >and restarted sssd. > > > >There are two rules enabled. One HBAC as I presented earlier: > > Rule name: Unixari na test servery > > Enabled: TRUE > > User Groups: grpunixadmins > > Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz > > Services: login, sshd, sudo, sudo-i, su, su-l > > > >and one sudo rule: > >Rule name: Pokusne > > Enabled: TRUE > > Command category: all > > User Groups: grpunixadmins > > Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz > > > >Default "all-access" rules are disabled. > > > >When I try to sudo as AD user (member of grpunixadmins) on Centos 6.6, I > >still get: > > > >[simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf > >[sudo] password for simecek.to...@sd-stc.cz: > >simecek.to...@sd-stc.cz is not in the sudoers file. This incident will > be > >reported. > > > >It works fine on Centos 7 (spcss-2t-www.linuxdomain.cz). > > > >sssd.conf: > >[domain/linuxdomain.cz] > >cache_credentials = True > >krb5_store_password_if_offline = True > >ipa_domain = linuxdomain.cz > >id_provider = ipa > >krb5_realm = LINUXDOMAIN.CZ > >auth_provider = ipa > >access_provider = ipa > >ipa_hostname = zp-cml-test.linuxdomain.cz > >chpass_provider = ipa > >ipa_server = svlxxipap.linuxdomain.cz > >ldap_tls_cacert = /etc/ipa/ca.crt > >override_shell = /bin/bash > >sudo_provider = ipa > >ldap_uri = ldap://svlxxipap.linuxdomain.cz > >ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz > >ldap_sasl_mech = GSSAPI > >#ldap_sasl_authid = host/zp-cml-test.linuxdomain...@linuxdomain.cz > >ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz > >ldap_sasl_realm = LINUXDOMAIN.CZ > >krb5_server = svlxxipap.linuxdomain.cz > >debug_level = 0x3ff0 > >[sssd] > >services = nss, sudo, pam, ssh > >config_file_version = 2 > >domains = linuxdomain.cz > >[nss] > >homedir_substring = /home > >[pam] > >[sudo] > >debug_level = 0x3ff0 > >[autofs] > >[ssh] > >[pac] > >[ifp] > > > > > >sssd_sudo.log from the moment I tried sudo: > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > >(0x0400): No such entry > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > >(0x0200): Searching sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > >simecek.to...@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ > >20us...@sd-stc.cz)(sudoUser=%unixadm...@sd-stc.cz > >)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_...@sd-stc.cz)(sudoUser=% > >acco...@sd-stc.cz)(sudoUser=%wifiadm...@sd-stc.cz > >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482821)))] > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > About > >to get sudo rules from cache > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > >(0x0400): No such entry > >(Thu Jul 14 0
Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?
Thanks, I will try. But I am afraid to update to more recent version then those in official repos. Thanks anyway. T. 2016-07-13 15:39 GMT+02:00 <ladner.dan...@gmail.com>: > Update to at least 1.12 sssd and libsss_sudo. As I recall sudo ipa > provider did not work under 1.11 > > Sent from my iPhone > > On Jul 13, 2016, at 9:02 AM, Tomas Simecek <simecek.to...@gmail.com> > wrote: > > Hi, > versions are: > sssd-client-1.11.6-30.el6.x86_64 > sssd-ipa-1.11.6-30.el6.x86_64 > ipa-client-3.0.0-50.el6.centos.1.x86_64 > as part of: > CentOS release 6.6 (Final) > > T. > > 2016-07-13 14:52 GMT+02:00 <ladner.dan...@gmail.com>: > >> Again what is client version on 6.5? >> >> >> Sent from my iPhone >> >> On Jul 13, 2016, at 8:25 AM, Tomas Simecek <simecek.to...@gmail.com> >> wrote: >> >> Thanks for your information Lukas, >> I have changed sudo_provider to ipa, restarted sssd and no difference. >> Logfile still says "Access granted by HBAC rule..." and sudo says >> simecek.to...@sd-stc.cz is not allowed to run sudo on zp-cml-test. >> >> Btw. man sssd-sudo says: >> The following example shows how to configure SSSD to download >> sudo rules from an LDAP server. >> >>[sssd] >>config_file_version = 2 >>services = nss, pam, sudo >>domains = EXAMPLE >> >>[domain/EXAMPLE] >> id_provider = ldap >> >> so I am not that sure what should be set on my version of sssd. >> >> Any idea? >> >> Thanks >> >> T. >> >> 2016-07-13 13:44 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>: >> >>> On (13/07/16 13:36), Tomas Simecek wrote: >>> >Lukas, >>> >yes, I went through that guide and I configured sssd.conf as per the doc >>> >(you can see it in the beginning of the thread). >>> > >>> >Actually the installation is: >>> >[root@zp-cml-test sssd]# cat /etc/redhat-release >>> >CentOS release 6.6 (Final) >>> > >>> >and versions are: >>> >[root@zp-cml-test sssd]# rpm -qa |grep sssd >>> >sssd-proxy-1.11.6-30.el6.x86_64 >>> >sssd-common-pac-1.11.6-30.el6.x86_64 >>> >sssd-ipa-1.11.6-30.el6.x86_64 >>> >sssd-1.11.6-30.el6.x86_64 >>> >sssd-common-1.11.6-30.el6.x86_64 >>> >sssd-ad-1.11.6-30.el6.x86_64 >>> >sssd-ldap-1.11.6-30.el6.x86_64 >>> >python-sssdconfig-1.11.6-30.el6.noarch >>> >sssd-krb5-common-1.11.6-30.el6.x86_64 >>> >sssd-krb5-1.11.6-30.el6.x86_64 >>> >sssd-client-1.11.6-30.el6.x86_64 >>> > >>> 1.11 has sudo_provider=ipa >>> >>> @see instructions in man sssd-sudo how to configure it. >>> It should avoid issues with two different providers (ipa and ldap) >>> >>> > >>> >There are some reasons why not to upgrade to later versions, believe >>> me, I >>> >would do it if I could :-) >>> > >>> You can at least try to upgrade sssd from 6.8 if you do not want >>> to upgrade whole OS. >>> >>> LS >>> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?
Hi, versions are: sssd-client-1.11.6-30.el6.x86_64 sssd-ipa-1.11.6-30.el6.x86_64 ipa-client-3.0.0-50.el6.centos.1.x86_64 as part of: CentOS release 6.6 (Final) T. 2016-07-13 14:52 GMT+02:00 <ladner.dan...@gmail.com>: > Again what is client version on 6.5? > > > Sent from my iPhone > > On Jul 13, 2016, at 8:25 AM, Tomas Simecek <simecek.to...@gmail.com> > wrote: > > Thanks for your information Lukas, > I have changed sudo_provider to ipa, restarted sssd and no difference. > Logfile still says "Access granted by HBAC rule..." and sudo says > simecek.to...@sd-stc.cz is not allowed to run sudo on zp-cml-test. > > Btw. man sssd-sudo says: > The following example shows how to configure SSSD to download > sudo rules from an LDAP server. > >[sssd] >config_file_version = 2 >services = nss, pam, sudo >domains = EXAMPLE > >[domain/EXAMPLE] >id_provider = ldap > > so I am not that sure what should be set on my version of sssd. > > Any idea? > > Thanks > > T. > > 2016-07-13 13:44 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>: > >> On (13/07/16 13:36), Tomas Simecek wrote: >> >Lukas, >> >yes, I went through that guide and I configured sssd.conf as per the doc >> >(you can see it in the beginning of the thread). >> > >> >Actually the installation is: >> >[root@zp-cml-test sssd]# cat /etc/redhat-release >> >CentOS release 6.6 (Final) >> > >> >and versions are: >> >[root@zp-cml-test sssd]# rpm -qa |grep sssd >> >sssd-proxy-1.11.6-30.el6.x86_64 >> >sssd-common-pac-1.11.6-30.el6.x86_64 >> >sssd-ipa-1.11.6-30.el6.x86_64 >> >sssd-1.11.6-30.el6.x86_64 >> >sssd-common-1.11.6-30.el6.x86_64 >> >sssd-ad-1.11.6-30.el6.x86_64 >> >sssd-ldap-1.11.6-30.el6.x86_64 >> >python-sssdconfig-1.11.6-30.el6.noarch >> >sssd-krb5-common-1.11.6-30.el6.x86_64 >> >sssd-krb5-1.11.6-30.el6.x86_64 >> >sssd-client-1.11.6-30.el6.x86_64 >> > >> 1.11 has sudo_provider=ipa >> >> @see instructions in man sssd-sudo how to configure it. >> It should avoid issues with two different providers (ipa and ldap) >> >> > >> >There are some reasons why not to upgrade to later versions, believe me, >> I >> >would do it if I could :-) >> > >> You can at least try to upgrade sssd from 6.8 if you do not want >> to upgrade whole OS. >> >> LS >> > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?
Thanks for your information Lukas, I have changed sudo_provider to ipa, restarted sssd and no difference. Logfile still says "Access granted by HBAC rule..." and sudo says simecek.to...@sd-stc.cz is not allowed to run sudo on zp-cml-test. Btw. man sssd-sudo says: The following example shows how to configure SSSD to download sudo rules from an LDAP server. [sssd] config_file_version = 2 services = nss, pam, sudo domains = EXAMPLE [domain/EXAMPLE] id_provider = ldap so I am not that sure what should be set on my version of sssd. Any idea? Thanks T. 2016-07-13 13:44 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>: > On (13/07/16 13:36), Tomas Simecek wrote: > >Lukas, > >yes, I went through that guide and I configured sssd.conf as per the doc > >(you can see it in the beginning of the thread). > > > >Actually the installation is: > >[root@zp-cml-test sssd]# cat /etc/redhat-release > >CentOS release 6.6 (Final) > > > >and versions are: > >[root@zp-cml-test sssd]# rpm -qa |grep sssd > >sssd-proxy-1.11.6-30.el6.x86_64 > >sssd-common-pac-1.11.6-30.el6.x86_64 > >sssd-ipa-1.11.6-30.el6.x86_64 > >sssd-1.11.6-30.el6.x86_64 > >sssd-common-1.11.6-30.el6.x86_64 > >sssd-ad-1.11.6-30.el6.x86_64 > >sssd-ldap-1.11.6-30.el6.x86_64 > >python-sssdconfig-1.11.6-30.el6.noarch > >sssd-krb5-common-1.11.6-30.el6.x86_64 > >sssd-krb5-1.11.6-30.el6.x86_64 > >sssd-client-1.11.6-30.el6.x86_64 > > > 1.11 has sudo_provider=ipa > > @see instructions in man sssd-sudo how to configure it. > It should avoid issues with two different providers (ipa and ldap) > > > > >There are some reasons why not to upgrade to later versions, believe me, I > >would do it if I could :-) > > > You can at least try to upgrade sssd from 6.8 if you do not want > to upgrade whole OS. > > LS > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?
Lukas, yes, I went through that guide and I configured sssd.conf as per the doc (you can see it in the beginning of the thread). Actually the installation is: [root@zp-cml-test sssd]# cat /etc/redhat-release CentOS release 6.6 (Final) and versions are: [root@zp-cml-test sssd]# rpm -qa |grep sssd sssd-proxy-1.11.6-30.el6.x86_64 sssd-common-pac-1.11.6-30.el6.x86_64 sssd-ipa-1.11.6-30.el6.x86_64 sssd-1.11.6-30.el6.x86_64 sssd-common-1.11.6-30.el6.x86_64 sssd-ad-1.11.6-30.el6.x86_64 sssd-ldap-1.11.6-30.el6.x86_64 python-sssdconfig-1.11.6-30.el6.noarch sssd-krb5-common-1.11.6-30.el6.x86_64 sssd-krb5-1.11.6-30.el6.x86_64 sssd-client-1.11.6-30.el6.x86_64 There are some reasons why not to upgrade to later versions, believe me, I would do it if I could :-) T. 2016-07-13 13:27 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>: > On (13/07/16 11:18), Tomas Simecek wrote: > >Dear freeIPA gurus, > >in previous thread ( > >https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html) > you > >helped me make sudo working for AD users on Centos 7.0 ( > >spcss-2t-www.linuxdomain.cz). > >It was caused by not knowing sudo needs to be enabled in HBAC rules. > >Now it works properly on Centos 7.0 client. > >But it does not work on Centos 6.5 (zp-cml-test.linuxdomain.cz) with the > >same sssd.conf setup. > >Error message is always: > > > A) I would not recommend to use such obsolete distribution as CentOS 6.5 >There is quite old version of sssd (1.9.x) which has some bugs which >are solved in later versions. Better would be use the latest CentOS 6.8 >or at least CentOS 6.7 > > B) Have you tried to follow instructions >https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO > > Please provide any comments how we can improve troubleshooting wiki. > > LS > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?
[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f0d0b0], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x2000): Total count [0] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found! (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[(nil)], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! Tomas Simecek 2016-07-13 11:50 GMT+02:00 Jakub Hrozek <jhro...@redhat.com&
[Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?
Dear freeIPA gurus, in previous thread ( https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html) you helped me make sudo working for AD users on Centos 7.0 ( spcss-2t-www.linuxdomain.cz). It was caused by not knowing sudo needs to be enabled in HBAC rules. Now it works properly on Centos 7.0 client. But it does not work on Centos 6.5 (zp-cml-test.linuxdomain.cz) with the same sssd.conf setup. Error message is always: [simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf [sudo] password for simecek.to...@sd-stc.cz: simecek.to...@sd-stc.cz is not allowed to run sudo on zp-cml-test. This incident will be reported. Here are my HBAC rules, the second one should apply. It definitely applies for Centos 7.0 server: [root@svlxxipap ~]# ipa hbacrule-find 2 HBAC rules matched Rule name: allow_all User category: all Host category: all Service category: all Description: Allow all users to access any host from any host Enabled: FALSE Rule name: Unixari na test servery Enabled: TRUE User Groups: grpunixadmins Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz Services: login, sshd, sudo, sudo-i, su, su-l Number of entries returned 2 This is my /etc/sssd/sssd.conf. It the same like on Centos 7.0 server, just with proper server name of course: [root@zp-cml-test sssd]# cat /etc/sssd/sssd.conf [domain/linuxdomain.cz] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = linuxdomain.cz id_provider = ipa krb5_realm = LINUXDOMAIN.CZ auth_provider = ipa access_provider = ipa ipa_hostname = zp-cml-test.linuxdomain.cz chpass_provider = ipa ipa_server = svlxxipap.linuxdomain.cz ldap_tls_cacert = /etc/ipa/ca.crt override_shell = /bin/bash sudo_provider = ldap ldap_uri = ldap://svlxxipap.linuxdomain.cz ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz ldap_sasl_mech = GSSAPI #ldap_sasl_authid = host/zp-cml-test.linuxdomain...@linuxdomain.cz ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz ldap_sasl_realm = LINUXDOMAIN.CZ krb5_server = svlxxipap.linuxdomain.cz [sssd] services = nss, sudo, pam, ssh config_file_version = 2 debug_level = 0x3ff0 domains = linuxdomain.cz [nss] homedir_substring = /home [pam] [sudo] debug_level = 0x3ff0 [autofs] [ssh] [pac] [ifp] This is output from sssd_sudo.log: (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain ' sd-stc.cz', user is simecek.tomas (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain ' sd-stc.cz', user is simecek.tomas (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz] (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [simecek.to...@sd-stc.cz] (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [simecek.to...@sd-stc.cz] (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [simecek.to...@sd-stc.cz] from [sd-stc.cz] (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= simecek.to...@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain us...@sd-stc.cz)(sudoUser=%unixadm...@sd-stc.cz)(sudoUser=% mfcr_...@sd-stc.cz)(sudoUser=%acco...@sd-stc.cz)(sudoUser=%w...@sd-stc.cz )(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))] (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [@sd-stc.cz] (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain ' sd-stc.cz', user is simecek.tomas (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain ' sd-stc.cz',
Re: [Freeipa-users] Freeipa and sudo
x2000): Setting up signal handler up for pid [32186] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup] (0x2000): Signal handler set up for pid [32186] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [write_pipe_handler] (0x0400): All data has been sent! (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'svlxxipap.linuxdomain.cz' as 'working' (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [set_server_common_status] (0x0100): Marking server ' svlxxipap.linuxdomain.cz' as 'working' (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'svlxxipap.linuxdomain.cz' as 'working' (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_store_creds] (0x0010): password not available, offline auth may not work. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [check_wait_queue] (0x1000): Wait queue for user [simecek.to...@sd-stc.cz] is empty. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f2389359480] done. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success (Success)] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] (0x1000): Waiting for child [32186]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] (0x0100): child [32186] finished successfully. I'll appreciate any other hints if you have some. Thanks, Tomas Simecek 2016-07-05 15:58 GMT+02:00 Danila Ladner <ladner.dan...@gmail.com>: > What about /etc/nsswitch.conf? > Does it have "sudo: files sss"? > > On Mon, Jul 4, 2016 at 3:50 AM, Tomas Simecek <simecek.to...@gmail.com> > wrote: > >> Dear freeipa users/admins, >> I'm trying to implement freeipa in our company, so that our Unix admins >> can authenticate on Linux servers using their Windows AD account. >> Following this guide >> https://www.freeipa.org/page/Active_Directory_trust_setup it seems to >> work well, they can login without problems. >> What I cannot make working is sudo from their AD accounts on Linux. >> >> No matter what I try, it is still: >> >> sudo systemctl restart httpd >> [sudo] password for simecek.to...@sd-stc.cz: >> Sorry, try again. >> >> Here's our setup: >> Freeipa server: CentOS Linux release 7.2.1511 (Core), >> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >> Freeipa client: the same >> >> AD domain name: sd-stc.cz >> IPA domain: linuxdomain.cz >> >> When digging in logs and googling, I realized that the problem on client >> side could be: >> >> [root@spcss-2t-www ~]# kinit -k >> kinit: Cannot determine realm for host (principal host/spcss-2t-www@) >> >> But this seems to work: >> [root@spcss-2t-www ~]# kinit simecek.to...@sd-stc.cz >> Password for simecek.to...@sd-stc.cz: >> [root@spcss-2t-www ~]# klist >> Default principal: simecek.to...@sd-stc.cz >> >> Valid starting Expires Service principal >> 07/04/2016 09:36:26 07/04/2016 19:36:26 krbtgt/sd-stc...@sd-stc.cz >> renew until 07/05/2016 09:36:23 >> >> My /etc/sssd/sssd.conf: >> [domain/linuxdomain.cz] >> >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = linuxdomain.cz >> krb5_realm = LINUXDOMAIN.CZ >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ipa_hostname = spcss-2t-www.linuxdomain.cz >> chpass_provider = ipa >> ipa_server = svlxxipap.linuxdomain.cz >> ldap_tls_cacert = /etc/ipa/ca.crt >> override_shell = /bin/bash >> sudo_provider = ldap >> ldap_uri = ldap://svlxxipap.linuxdomain.cz >> ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz >> ldap_sasl_mech = GSSAPI >> ldap_sasl_authid = host/spcss-2t-www.linuxdomain...@linuxdomain.cz >> ldap_sasl_realm = LINUXDOMAIN.CZ >> krb5_server = svlxxipap.linuxdomain.cz >> >> [sssd] >> services = nss, sudo, pam, ssh >> config_file_version = 2 >> >> domains = linuxdomain.cz >> [nss] >> homedir_substring = /home >> >>
[Freeipa-users] Freeipa and sudo
Dear freeipa users/admins, I'm trying to implement freeipa in our company, so that our Unix admins can authenticate on Linux servers using their Windows AD account. Following this guide https://www.freeipa.org/page/Active_Directory_trust_setup it seems to work well, they can login without problems. What I cannot make working is sudo from their AD accounts on Linux. No matter what I try, it is still: sudo systemctl restart httpd [sudo] password for simecek.to...@sd-stc.cz: Sorry, try again. Here's our setup: Freeipa server: CentOS Linux release 7.2.1511 (Core), ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 Freeipa client: the same AD domain name: sd-stc.cz IPA domain: linuxdomain.cz When digging in logs and googling, I realized that the problem on client side could be: [root@spcss-2t-www ~]# kinit -k kinit: Cannot determine realm for host (principal host/spcss-2t-www@) But this seems to work: [root@spcss-2t-www ~]# kinit simecek.to...@sd-stc.cz Password for simecek.to...@sd-stc.cz: [root@spcss-2t-www ~]# klist Default principal: simecek.to...@sd-stc.cz Valid starting Expires Service principal 07/04/2016 09:36:26 07/04/2016 19:36:26 krbtgt/sd-stc...@sd-stc.cz renew until 07/05/2016 09:36:23 My /etc/sssd/sssd.conf: [domain/linuxdomain.cz] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = linuxdomain.cz krb5_realm = LINUXDOMAIN.CZ id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = spcss-2t-www.linuxdomain.cz chpass_provider = ipa ipa_server = svlxxipap.linuxdomain.cz ldap_tls_cacert = /etc/ipa/ca.crt override_shell = /bin/bash sudo_provider = ldap ldap_uri = ldap://svlxxipap.linuxdomain.cz ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/spcss-2t-www.linuxdomain...@linuxdomain.cz ldap_sasl_realm = LINUXDOMAIN.CZ krb5_server = svlxxipap.linuxdomain.cz [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = linuxdomain.cz [nss] homedir_substring = /home My /etc/krb5.conf: #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = LINUXDOMAIN.CZ dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] LINUXDOMAIN.CZ = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .linuxdomain.cz = LINUXDOMAIN.CZ linuxdomain.cz = LINUXDOMAIN.CZ Would you please suggest which way to investigate? Thanks Tomas Simecek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project